FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hvardhang
Staff
Staff
Article Id 194229

Description

 

This article describes how to alter the default login-attempt-limit and login-block-time for SSL VPN users.

 

Scope

 

FortiGate.


Solution

 

The default login-attempt-limit for SSL VPN users is 2, and the login-block-time is 60 seconds.


With these settings, if the firewall observes two consecutive incorrect username/password combinations from the same IP address within 60 seconds, the firewall will block attempts for the next 60 seconds and prompt with the message 'Too many bad login attempts. Please try again in a few minutes'.

Stephen_G_0-1703866925431.png

 

After seeing this message, a user must wait for the login-block-time to elapse before trying again.

To modify this, configure the desired values in the CLI as shown below:

 
config vpn ssl settings
    set login-attempt-limit <attempt_limit>         
<----- Number of failed attempts before triggering block.
    set login-block-time <block_time>            
<----- Number of seconds to block.
end

The above configuration can help mitigate brute force credential attacks through SSL VPN.

Note: Setting either login-attempt-limit or login-block-time to 0 disables the block. 'login-block-time' defines both the block time and the window within which failed attempts are considered consecutive.

 

To view the block-listed IP address, use the CLI command:


diagnose vpn ssl blocklist list

 

Note: The command is available starting FortiOS versions 7.2.6 and above, 7.4.1 and above.

 

Sample output:

 

sc1.png

 

Status: locked – indicates that user has reached maximum failed login-attempt.

Pending: indicates that user login attempts are less than the configured login-attempt-limit.


To delete an entry from the SSL VPN blocklist, use the CLI command :


diagnose vpn ssl blocklist del <all|vfid|addr>

 

Example output:


sc1.png

 

sc1.png

 

To view the total number to users with failed login attempts, use the CLI command :


diagnose vpn ssl blocklist count

 

This method does not apply to SAML user groups. SAML user groups use an Azure application, FortiAuthenticator, or other IDP authentication, not in the FortiGate. The FortiGate cannot count each incorrect username/password entry.

 

Related articles:
Technical Tip: How to unblock IP addresses from the SSL VPN blocklist

Technical Tip: SSL VPN timers explanation and SSL VPN Login Attempt Limit (aka 'Lockout')

Technical Tip: 'auth-timeout' setting for SSL-VPN